IT managers are fed up with their endpoint devices becoming the dumping ground for bits of vendor code that can slow performance, conflict with services running on the machines and cause huge management headaches when upgrades are needed. Vendors have imposed their agents on customer machines long enough, IT managers say, and the time has come to change how servers and endpoints are secured and managed.
"There are risks in putting too many agents on any one device, so I've had to set hard limits on how many agents we send out to our endpoints," says William Bell, director of information security at CWIE, a webhosting company in Arizona. "Some people will tell you agents are botnets waiting to happen, but if you have ever tried to patch thousands of machines without agents, you know agents have their place. It's a judgement call."
Bell is not alone in his efforts to balance the amount of software installed on clients and servers for the sake of securing and managing the machines.
"We are concerned about the performance of endpoints, and the more agents you put on them, the more you take away from performance," says Michael Gruen, IT project manager for Bernalillo County, New Mexico. "When you are talking about one tiny agent on one machine, it's not an issue. But when you have many tiny agents across many machines, they add up quickly."
Agent change is afoot
Now that IT managers are getting smarter about agents, vendors are scrambling to accommodate them.
"More vendors are looking at ways to consolidate features or architect their agents in such a way that one agent can handle the tasks of multiple software applications," says Jasmine Noel, principal analyst at Ptak, Noel & Associates. "Vendors are responding to customer complaints that they simply won't deal with so many agents."
Security vendors such as McAfee have been consolidating many features onto a single agent, and management-software makers, such as BMC Software, have developed agentless variations of their monitoring products. IBM and CA are working separately on a common agent architecture across their products that lets customers install just one agent to handle client and server tasks.
Such acquisitions as PatchLink's bid to buy SecureWave also could result in fewer agents for securing endpoints. "As they merge, I have been guaranteed that the client agent will merge as well. I'm looking for just two agents from them within six months," CWIE's Bell says. He also uses Symantec antivirus software on his endpoints.
After evaluating products from multiple vendors, Bernalillo County's Gruen decided to go with start-up Xangati to help spot performance problems and bottlenecks across his network. Xangati requires customers to install an appliance that spots anomalous traffic to root out problems, but doesn't mandate a software agent. "It was important to us to have nothing installed on the client. It would have been more effort than we could put forth," he says.
Most agree that software agents must be installed to adequately secure endpoints, but the ideal number of agents required on each device is up for debate. According to Gartner vice president John Pescatore, every endpoint today typically has at least three types of agents installed: "anti agents" (antispyware, antivirus and so forth); vulnerability-management or patch-management agents, which scan desktops to make sure they are configured appropriately; and systems management agents from companies like BMC, CA, HP and IBM. The latter type often causes the most "agent fatigue" among customers.
Even with Symantec acquiring BindView and Altiris, or McAfee picking up Citadel Security Software, customers should be aware they still could see the same number of agents from the consolidated vendor, Pescatore says.
"The ‘keep the bad guys out' agents have to change whenever threats change, but the configuration-management agents want nothing to change, and if there is a change, they will push it back," he says. "The acquisitions are good, but don't always mean a single agent. Combining these types of features can be just plain complicated from an engineering standpoint."
Others say the evolution of agent technology among security vendors isn't that much of a change. For instance, industry watchers argue the tax on the endpoint isn't much different whether you have six small, simple agents, each performing a single function, or one large agent performing six functions. Agents themselves are not the root of the agent pollution issue, says IDC vice president Charles Kolodgy. Instead, problems arise when IT managers are ill-equipped to manage numerous agents with various consoles, making the care and feeding of agents a nightmare, he says.
"Agents offer value. They allow you to extend your policy outside of your network and to control activities on endpoints no matter where they are. But there is a need to reduce the complexity of agents," Kolodgy says. "Security is great, but if you can't manage it, it lapses over time. You have to be diligent and vigilant with the agents that are required for defence in depth. Vendors must provide smart management with their agents."
When it comes to monitoring performance on endpoints, however, the agent discussion takes a turn. Many argue that unless IT managers want to be able to take actions on each client or server, there is no need to place a pesky systems management agent on each device. For instance, appliances from companies like Coradiant promise to collect data from client devices without installing an agent.
"Management vendors offer passive, server-side monitoring and active testing to avoid putting agents on devices," says George Hamilton, director of Yankee Group's enabling-technologies enterprise group. "Because endpoints are changing to include handheld devices, vendors know that an agent on each device is not feasible in the long term, so some vendors like Intel are embedding remote monitoring into the hardware."
Others point out that as operating systems mature, more capabilities will be embedded there to enable management without installing agents. In addition, management vendors continue to work toward standardising agents across their products.
"The solution we see in the long run is that, through commoditisation of chips and operating systems, agent functions will end up embedded in the operating system," says Jean-Pierre Garbani, a vice president with Forrester Research. And until then, "a universal agent architecture with a standard interface would be a good start," he says.
Because agents can't be done away with altogether, enterprise IT managers must devise plans to avoid spreading the software needlessly across their environments. According to CWIE's Bell, it requires constant attention and frequent re-evaluation to make sure endpoints have the software they need but aren't getting bogged down with code.
"If you see room to consolidate functions into one agent, the best thing to do is get that extra software off your plate," Bell says.
Others say IT managers must talk to vendors about exactly what agents they have, and demand detailed documentation as to how agents interact with each other when they're running on one machine. For instance, one IT manager says processes running on machines can conflict with the actions agents are taking or the services also scheduled to run. He says vendors such as Symantec should label their agents so it's clearer to IT managers performing an inventory what they have running.
"The large vendors that put out a lot of different software applications need to help reduce the administrative clutter of all these agents," says Chris Majauckas, computer technology manager for Metrocorp Publications. "Problems arise when you have too many agents in the pot, and you don't know which ones are compatible and which ones are fighting for resources, causing performance problems."
And if multiple agents remain a necessary evil, IT managers should pressure their vendors at least to standardise on how to tap the data in the agents and provide one management interface into the many agents.
"No one has introduced a way to tie all the agents into one console. One place where you can get at agent data and correlate it would be huge," says James Maas, network monitoring engineer at Fresenius Medical Care in Massachusetts.